1.What is the tcode to define/create and modify workflow ? 
SWDD 


2.When does a workflow starts in the system ? 


Workflow is generally triggered by events. 


3.How does users interact with workflows ? 
Users interact with workflow system through work items which are accessible by using SAP 
Inbox(SBWP). 


4.What are different ways of defining possible agents of a task ? 
Job, Positions, Rule and direct SAP User ID. 


5.What is the tcode to transport task attributes to different systems ? 


Transaction Code: RE_LRHMOVE30 and Program Name: RHMOVE30 


6.What are different types of Workflow containers and how many are they ? 
There are 5 containers in workflow. 

Workflow container(global), 

Task container 

Rule container 

Event container 


Method container. For more details types of containers in sap workflow. 


7.Will you maintain workflow number ranges in Quality and Production system ? 
No. Number ranges are defined only in development system because we create workflows 


only in development system. 


8.What is the tcode to check error workflows/workitems ? 
SWI2_DIAG 


9. What is the tcode to restart the error workflows/workitems ? 
SWPR 


10. I have a Task,i need to know in which workflows these task is used,how do i 
know it ? 
By using the tcode SWI11(Where-Used List of Task) you can identify it. 


11. My workflow is not getting triggered, What are the possible cases of it ? 
No Start Events for the workflow. 
Start Condition of the Start Event is not satisfied. 


12. What is the tcode to test the workflows ? 
SWUS 


13. In Send Mail step i want to insert dynamic data, can i ? 
Yes, you can include dynamic data in the email subject and body by using the container 
elements. A button called “Insert Expression” is available to insert the container elements. 


14. What is the tcode to create custom Business Object ? 
Swoi 


15.Which step you will choose to check multiple conditions at 1 time? 
Multiple Condition Step 


16. How can i store multiple records in a container element in sap workflow ? 
If you make any container element as “Multiline” you can store multiple records.To know 
more about different types of containers 


17.If i want to use a container element in multiple steps in the workflow, where 
should i declare the element ? 
In Workflow Container 


18.I have two task which are available for user execution as workitems.I want to 
show the second workitem immediately after executing the first one for the same 
user. What should i do ? 


Check the “Advance with dialog” in the first task. For more details click here 


19. I need send emails to some users when workflow in completed, but i don’t 
want use email step in the workflow. Can i achieve this ? 
Yes, In workflow header we have a tab called “Notification”. Provide the receipts and email 


text here, once the workflow is completed all the user will get emails. Try it yourself. 


20. What is the tcode for Workflow Customization ? 
SWU3 


21. What is the tcode for event linkages ? 
SWE2 or SWETYPV 


Link for all Exam Dumps 


http://www.testsnow.net/list/766/1.html 


Link http://www.testsnow.net/txt/3/3367/0.html for below questions 
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Questions 1. Your customer has created a custom transaction 
code ZFBION by copying transaction FB10 and implementing a 
user exit. 

How can you incorporate the customer enhancement into the 
global rule set so that it will be available for Risk 
Analysis? 

A. Update security permissions in all relevant authorization 
objects, maintain the custom program name in all relevant 
functions, and generate the access rules. 

B. Update all relevant functions with ZFBION, maintain the 
permission values for all relevant authorization objects, 
and generate the access rules. 

C. Update all relevant functions with ZFBION, maintain the 
permission values in the relevant access risk, and generate 
the global rule set. 

D. Update the relevant access risk with ZFBION, maintain 
access rules in all relevant functions, and generate the 
global rule set. 

Answer: B 


Explanation: 


Questions 2. What is the purpose of role mining? 


A. To consolidate roles by taking actions after running 


comparisons 

B. To compare authorizations by merging roles during the 
back-end synchronization 

C. To consolidate authorizations by merging roles in one 
step 

D. To compare roles by running back-end synchronizations 
Answer: A 


Explanation: 


Questions 3. Which of the following attributes are mandatory 
when creating business role definition details in Business 
Role Management? (Choose three) 

Functional Area 

Company 

Landscape 


Project Release 


H S O ee 


Application Type 
Answer: C, D,E 


Explanation: 


Questions 4. You maintain rules in the BRFplus framework. 
For which rule kind can you activate the Return all matches 
found” option for the decision table? 

A. GRC API rule 

B. Agent rule 

C. Routing rule 

D. Initiator rule 

Answer: B 


Explanation: 


Questions 5. Which objects must you activate when you create 


a BRFplus Routing rule? (Choose three) 
Initiator Flat Rule 

Function 

Application 


Decision Table 


ee O p 


Result Column 
Answer: b © D 


Explanation: 


Questions 6. You want to update two authorizations that are 
shared across multiple roles. How do you accomplish this 
most efficiently? 

A. Update each authorization in all roles in two mass role 
update sessions. 

B. Update each authorization in one role in multiple mass 
role update sessions. 

C. Update both authorizations in all roles in one mass role 
update session. 

D. Update both authorizations in one role in multiple mass 
role update sessions. 

Answer: A 


Explanation: 


Questions 7. What information is available in the audit 
trail log for access rules? (Choose two) 

A. Which terminal ID the change was made from 

B. When the change was made 

C. Who made the change 

D. Who approved the change 

Answer: B,C 


Explanation: 


Questions 8. You want to make Risk Analysis mandatory before 
an approver submits a request. 

How do you enable this in Access Control? 

A. Activate “Exclude objects for batch risk analysis’ in the 
IMG. 

B. Set “Show all objects in risk analysis” (parameter ID 
1036) “to YES. 

C. Set “Enable risk analysis on form submission’ (parameter 
LPO to VES. 

D. Activate the corresponding MSMP stage task setting. 
Answer: D 


Explanation: 


Questions 9. For which purpose can you use organizational 
value mapping? 

A. To maintain derived roles with organizational units 

B. To group roles by organization 

C. To maintain composite roles with organizational units 
D. To group users by organization 

Answer: A 


Explanation: 


Questions 10. How does SAP deliver updates to the standard 
rule set for Access Control? 

A. As BC sets in a Support Package that must be activated in 
the target system by the system administrator 

B. As attachments in an SAP Note that must be entered 
manually by the system administrator 

C. As XML files in an SAP Note that need to be uploaded by 


the system administrator 


D. As BC sets in a Support Package that are automatically 
activated when the Support Package is deployed 
Answer: B 


Explanation: 
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Questions 11. Which periodic review process allows a role 
owner to remove roles from the users? 

A. UAR Review 

B. SoD Review 

C. Firefighter Log Review 

D. Role Certification Review 

Answer: A 


Explanation: 


Questions 12. For which IMG object can you activate the 
password self-service (PSS) in Access Control? 

A. Logical system 

B. Connector 


C. Cross system 


D. Condition group 
Answer: B 


Explanation: 


Questions 13. You are building a BRFplus Flat rule decision 
table for use with role provisioning and you want your 
result set to be derived using the role line item data. You 
must therefore configure the results column value for the 
LINE ITEM KEY key field. 

Which field from the context query do you select to achieve 
this? 


AS ROLECTYP 
B. ITEMNUM 
Co CRITLYL 
D. ROLE NAME 
Answer: B 
Explanation: 


Questions 14. Which connection type do you use for the RFC 
destination to establish a connection between GRC and an SAP 
ERP back-end system? 

A. Logical connection 

Be TCP/IP comection 

C. ABAP connection 

D. ABAP driver connection 

Answer: C 


Explanation: 


Questions 15. Which of the following role provisioning types 
does Access Control user provisioning support? (Choose 
three) 


Direct 
Indirect 
Auto-provisioning at end of request 


No provisioning 


= a SS tS iS 


Combined 
Answer: A, B,E 


Explanation: 


Questions 16. Which report types require the execution of 
batch risk analysis? (Choose two) 

Ad-hoc risk analysis reports 

Offline risk analysis reports 

User level simulation reports 


Access rules detail reports 


Be Tepe 


User and role analysis dashboards 
Answer: B,E 


Explanation: 


Questions 17. Which reviewers can you select using the 
Access Control configuration parameter 2006 (Who are the 
reviewers) for user access review (UAR)? (Choose two) 
MANAGER 

ROLE OWNER 

RISK OWNER 

SECURITY LEAD 

APPROVER 


Answer: A,B 


SSO a 


Explanation: 


Questions 18. Which of the following are rule types used in 
MSMP workflow? (Choose three) 


Web Service rule 

ABAP Class-Based rule 
Function Module-Based rule 
BRFplus rule 

ABAP User Exit-Based rule 
Answer: B,C, D 


Explanation: 


= a a tS iS 


Questions 19. How do you manually replicate initiators from 
a previous version of Access Control so they can be used in 
BRFplus and a MSMP workflow? 

A. Create multiple initiator rules and assign them to a 
process ID containing different detour pathassignments. 

B. Create an initiator rule and assign it to multiple 
process IDs. 

C. Create multiple initiator rules and assign them to a 
process ID. 

D. Create an initiator rule and assign it to a process ID. 
Answer: D 


Explanation: 


Questions 20. For what purpose can you use the Role Status 
attribute in Business Role Management? 

A. To organize the authorization structure for your company 
B. To indicate that a role is relevant for a specific 
project 

C. To restrict the roles available for user access requests 
D. To define how essential a role might be for your company 
Answer: C 


Explanation: 


Questions 21. What does an agent rule determine? 

A. The workflow initiator to be executed 

B. The workflow detour routing to be executed 

C. The available variables to be used in notifications 
D. The approvers/recipients for the workflow 

Answer: D 


Explanation: 


Questions 22. For which of the following scenarios would you 
activate the end-user logon function? 

A. A user has no access to the Access Control system and 
needs to submit a request for access. 

B. A user has been promoted to manager and needs to log on 
to the Access Control system to approve a pending request. 

C. A user has successfully completed validation testing. 

D. A user has signed a non-disclosure agreement (NDA). 
Answer: A 


Explanation: 


Questions 23. You need to create an access request workflow 
for a role assignment that will have two or three approval 
steps, depending on the role criticality level. 

Which type of rule do you use? 

A. BRFplus Flat rule 

B. MSMP Notification rule 

C. MSMP Agent rule 

D. BRFplus rule 

Answer: A 


Explanation: 


Questions 24. You have activated the MSMP workflow Business 
Configuration (BC) Sets delivered by SAP. However, your 
customer requires a four-stage workflow for the Access 
Request process to include an approval by the system owner. 
How do you achieve this? 

A. Define a custom notification template and assign it to 
the corresponding BRFplus Flat rule. 

B. Deactivate the standard BC Set and create a custom BC 
Set. 

C. Create an additional stage and define the appropriate 
agent rule. 

D. Use an existing agent rule and remove one stage. 

Answer: C 


Explanation: 


Questions 25. How do you enable stage configuration changes 
to become effective after a workflow has been initiated? 

A. Activate the Path Reroute indicator. 

B. Activate the Path Override Assignment Type indicator. 

C. Activate the Path Reval New Role (Revaluation) indicator. 
D. Activate the Runtime Configuration Changes OK indicator. 
Answer: D 


Explanation: 


Questions 26. Where can you define a mitigating control? 
(Choose three) 

A. In the mitigating controls workset in Access Control 
B. In the rule setup in Access Control 

C. In the Access Control risk analysis result screen 

D 


In the central process hierarchy in Process Control 


E. In the activity setup in Risk Management 
Answer: A, C, D 


Explanation: 


Questions 27. You have created an agent rule in BRFplus. 
Which additional configurations do you have to perform to 
use this agent rule in a workflow? (Choose two) 

A. Define agents and their purposes. 

B. Maintain workflow route mappings. 

C. Link the rule to the appropriate process ID. 

D. Define notification variables. 

Answer: A, C 


Explanation: 


Questions 28. Which indirect provisioning types are 
supported in user provisioning? (Choose three) 
Organization Type 

Job 

Post ion 

Holder 

User 

Answer: A,B,C 


Explanation: 


SS eS Se 


Questions 29. Which agent purposes are available in MSMP 
workflow? (Choose two) 

Approval 

Notification 

Forwarding 


Routing 


J a g e 


Rejection 


Answer: A,B 


Explanation: 


Questions 30. Which of the following objects can you 
customize for MSMP workflows? (Choose two) 

A. Multiple initiator rule IDs for one process ID 

B. Multiple paths for one process ID 

C. Multiple agent IDs for one stage 


D. Multiple notification templates for one process ID 
Answer: B,D 


Explanation: 


Questions 31. Which of the following owner types must be 
assigned to a user to receive the notification that a log 
report has been generated as the result of a Firefighter 
session? 

A. Mitigation approver 

B. Firefighter ID owner 

C. Firefighter ID controller 

D. Firefighter role owner 

Answer: C 


Explanation: 


Questions 32. How are lines and columns linked in a BRFplus 
initiator decision table? 

A. A column to a column through a logical OR 

B. A column to a line through a logical OR 

C. A column to a column through a logical AND 

D. A line to a line through a logical AND 


Answer: C 


Explanation: 


Questions 33. You want to create a connector to an SAP ERP 
client. You must therefore define the technical parameters 
for the Remote Function Call (RFC) destination. What does 
SAP recommend regarding the name of the RFC destination? 
A. The RFC destination name must begin with the prefix 
“GRC”. 

B. The RFC destination name must be the same as the logical 
system name. 

C. The RFC destination name must include the installation 
number of the destination system. 

D. The RFC destination name must include the IP address of 
the target destination. 

Answer: B 


Explanation: 


Questions 34. What are Business Configuration (BC) Sets for 
Access Control? (Choose two) 

A. A collection of configuration settings designed to 
populate SAP tables with content 

B. A set of system parameter settings 

C. A collection of configuration settings designed to 
populate custom-defined tables with content 

D. A set of predefined Customizing settings 

Answer: A, D 


Explanation: 


Questions 35. What must you define in order to analyze user 
aecess Lor a €riuieal transaction: 


A A Crivical miiigation Control 


B. A critical role 

C A eritical protile 

D. A critical access rule 
Answer: D 


Explanation: 


Questions 36. Which prerequisites must be fulfilled if you 
want to create a technical role using Business Role 
Management? (Choose two) 

A. The role methodology must be defined. 

B. Organizational level mapping must be created. 

C. Role attributes such as business process and subprocess 
must be defined. 

D. The workflow approval path and relevant approvers must be 
defined. 

E. Access risk rules must be generated. 

Answer: A, C 


Explanation: 


Questions 37. Which of the following actions in Business 
Role Management require a connection to a target system? 
(Choose three) 

Generation 

Authorization maintenance (actions and permissions) 
Risk analysis 


Approval 


SP Tore | 


Testing 
Answer: A, B, C 


Explanation: 


Questions 38. You have created a new end-user 


personalization (EUP) form. 

Where can you make use of this EUP form? (Choose two) 
A. In a stage configuration of a workflow 

B. In an organizational assignment request 

C. In a template-based request 

D. In a model user request 

Answer: A,C 


Explanation: 


Questions 39. Which combination of rule kind and rule type 
determines the path upon submission of a request? 

A. Agent rule ?BRFplus Flat 

B. Routing rule ?BRFplus 

C. Initiator rule ?BRFplus 

D. Agent rule ?ABAP Class-—Based 

Answer: C 


Explanation: 


Questions 40. Which transaction do you use to monitor 
background jobs in Access Control repository 
synchronization? 

A. Schedule Background Jobs (SM36) 

B. Test Background Processing (SBTA) 

C. Batch Input Monitoring (SM35) 

D. Overview of Job Selection (SM37) 

Answer: D 


Explanation: 


Questions 41. Which type of user account does an emergency 


access user need to log on to a Firefighter session using 


transaction GRAC SPM? 

A. A user account in the User Management Engine (UME) 
B. A user account in the Access Control system 

C. A user account in the LDAP system 

D. A user account in the target system 

Answer: B 


Explanation: 


Questions 42. Which of the following IMG activities are 


common component settings shared across GRC? (Choose three) 


A. Maintain plug-in settings. 

B. Maintain connection settings. 

C. Maintain mapping for actions and connector groups. 
D. Define a connector. 

E. Assign a connector to a connector group. 

Answer: B, D,E 

Explanation: 


Questions 43. What does assigning the Logical Group (SOD- 
LOG) type to a connector group allow you to do? 

A. Run a cross-system analysis. 

B. Use the connector group for transports to the target 
system. 

C. Monitor the target system. 

D. Use the connector group as a business role management 
landscape. 

Answer: D 


Explanation: 


Questions 44. You have set up your Firefighter IDs in the 


target system. 


Which of the following jobs do you have to run to 
synchronize these IDs and their role assignments with the 
Access Control system? 

A. GRAC_SPM WORKFLOW SYNC 

B. GRAC_REPOSITORY_OBJECT SYNC 

C. GRAC_ SUPER USER MGMT USER 

D. GRAC PFCG AUTHORIZATION SYNC 


Answer: B 


Explanation: 


Questions 45. What do you mitigate using Access Control? 
A. Roles 

B. Users 

C. Risks 

D. Functions 

Answer: C 


Explanation: 


Questions 46. What information must you specify first when 


you copy a user access request? 


A. User ID 

B. System ID 

C. Role 

D. Request number 
Answer: D 
Explanation: 


Questions 47. Which integration scenarios are specific to 
Access Control? (Choose three) 

A. Provisioning (PROV) 

B. Risk Management (RMGM) 


C. Superuser Privilege Management (SUPMG) 
D. Automatic Monitoring (AM) 

E. Authorization Management (AUTH) 
Answer: A,C,E 


Explanation: 


Questions 48. You have identified some risks that need to be 
defined as cross-system risks. How do you configure your 
system to enable cross-system risk analysis? 

A. 4. Generate rules. 

B. 4. Generate rules. 

C. 4. Generate rules. 

D. 4. Generate rules. 

Answer: D 


Explanation: 


Questions 49. Your customer wants to eliminate false 
positives from their risk analysis results. 

How must you configure Access Control to include 
organizational value checks when performing a risk analysis? 
(Choose two) 

A Confisure organization rules tor each relevant finetion. 
B. Update the functions that contain each relevant action by 
activating the fields for the required permissions and 
maintaining a value for each specific organization. 

C. Configure organization rules for each relevant risk. 

D. Update the functions that contain each relevant action by 
activating the fields for the required permissions. 

E. Configure organization level system parameters to 
incorporate all organization levels for each relevant risk. 


Answer: C D 


Explanation: 


Questions 50. Your customer wants to adapt their rule set to 
include custom programs from their SAP ERP production 
system. How do you ensure that the custom programs can be 
maintained properly in the rule set? (Choose three) 

A. Maintain all relevant authorization objects and the 
associated default field values in transaction SU24 in the 
GRC system. 

B synchronize SU24 data for use in Access Control Function 
maintenance using transaction GRAC AUTH SYNC. 

GC. Synchronize SUZ4 data for use im Access Control Function 
maintenance using transaction GRAC REP OBJ SYNC. 

D. Maintain all relevant authorization objects and the 
associated default field values in transaction SU24 in the 
SAP ERP system. 

E. Create a custom transaction code for each customer 
program using transaction SE93 in the SAP ERP system. 
Answer: B, D,E 


Explanation: 


Questions 51. Which auto-provisioning options are available 
in the global provisioning configuration? (Choose three) 
Manual Provisioning 

Indirect Provisioning 

Auto-Provision at End of Request 


No Provisioning 


m o a 


Combined Provisioning 
Answer: A, C, D 


Explanation: 


Questions 52. Which tasks must you perform to enable a user 
to begin a central Firefighter session? (Choose three) 

A. Create a user ID for the Firefighter in the target 
system. 

B. Assign an owner to the Firefighter. 

C. Maintain Firefighter ID owners in Access Control owners. 
D. Maintain reason codes in Superuser Maintenance. 

E. Assign a controller and a Firefighter to a Firefighter 
ID. 

Answer: C,D,E 


Explanation: 


Questions 53. What data is synchronized when you run the 
GRAC REPOSITORY OBJECT SYNC report? (Choose three) 
Profiles 

Roles 

Role usage 

PFCG authorizations 

Users 

Answer: A, B,E 


Explanation: 


Pe ee ne ee ue 


Questions 54. You create a BRFplus initiator rule for the 
Access Request approval workflow. Which standard request 
attribute that is listed as a header data object, as well as 
a line item data object, can you insert into a condition 
column? 

A. Location 

B. Business Process 


C. Department 


D. Priority 
Answer: B 


Explanation: 


Questions 55. Why would you generate a new MSMP workflow 
version? 

A. To activate the stage configuration settings 

B. To deactivate parallel batch processing 

C. To delete the existing workflow configuration settings 
D. To change the process global settings 

Answer: A 


Explanation: 


Questions 56. You want to synchronize the Access Control 
repository with data from various clients. In which sequence 
do you execute the synchronization jobs? 

A. 4. Role Usage Sync 

B. 4. Repository Object Sync (profile, role, user) 

C. 4. Role Usage Sync 

D. 4. Role Usage Sync 

Answer: D 


Explanation: 


Questions 57. Which task is mandatory for the successful 
generation of a workflow? 

A. Transport every generated workflow version. 

B. Correct errors prior to activating the workflow. 

C. Save the workflow version locally. 

D. Perform a workflow version simulation. 

Answer: B 


Explanation: 


Questions 58. Who approves the review of the periodic 
segregation of duties? 

A. Mitigation monitors 

B. Role owners 

C. Mitigation approvers 

D. Risk owners 

Answer: D 


Explanation: 


Questions 59. You have updated authorization data for your 
roles in the target system using PFC 

G. You now want to synchronize the authorization data in 
Business Role Management without changing the existing role 
attributes. How do you accomplish this? 

A. Use the Role Import template. 

B. Use the Role Mass Update function. 


C. Use the Role Mining function. 


D. Use the Mass Role Generation function. 
Answer: C 


Explanation: 


Questions 60. Which Access Control master data is shared 
with Process Control and Risk Management? 

A. Access risk master data 

B. Organizational master data 

C. Business process master data 

D. Subprocess master data 

Answer: B 


Explanation: 


Questions 61. Which of the following objects can you 
maintain in the “Maintain Paths” work area of MSMP workflow 
configuration? (Choose three) 

Paths 

Path versions 

Rules for path mappings 


Stage notification settings 


eS iS 


Stages 
Answer: A, D,E 


Explanation: 


Questions 62. For what purpose can you use the Display Revw 
Screen setting in MSMP Stage Details? 

A. To view the rule result 

B. To view the stage configuration 

C. To view the initiator rule 

D. To view the access request 

Answer: D 


Explanation: 


Questions 63. How do you enable the Access Control audit 
trail function for access rules? 

A. Activate the relevant configuration parameter using the 
Customizing ?Edit Project (SPRO) transaction. 

B. Activate the table logging parameter using the Profile 
Parameter Maintenance (RZ11) transaction. 

C. Activate table logging using the Table History (SCU3) 
transaction. 


D. Activate the security audit log using the Security Audit 


Configuration (SM19) transaction. 
Answer: A 


Explanation: 


Questions 64. Which process steps should you perform when 
you define a workflow-related MSMP rule? (Choose two) 

A. Save a bottom expression. 

B. Select a result data object. 

C. Select result parameters. 

D. Save condition parameters. 

Answer: B, D 


Explanation: 


Questions 65. Which of the following jobs do you have to 
schedule to collect Firefighter session information? 

A. GRAC SPM LOG ARCHIVING 

B. GRAC_SPM WORKFLOW SYNC 

C. GRAC_SPM LOG _SYNC_UPDATE 

D. GRAC SPM CLEANUP 


Answer: C 


Explanation: 


Questions 66. You define a background job using transaction 
SM36. Which of the following options are start conditions 
you can use to schedule the background job to run 
periodically? (Choose two) 

A. Step 

B. Class 

C. Date/Time 

D. Immediate 


Answer: C, D 


Explanation: 


Questions 67. Which transaction do you use to access the 
general Customizing activities for Access Control? 

A. MSMP Workflow Configuration (GRFNMW CONFIGURE) 

B. Customizing ?Edit Project (SPRO) 

C. Launchpad Customizing (LPD CUST) 

D. Call View Maintenance (SM30) 

Answer: B 


Explanation: 


Questions 68. You have maintained an end-user 
personalization (EUP) form and set a particular field as 
mandatory. 

Which additional field attribute settings are required? 
(Choose two) 

Theviteldvarvcibiter Visible mist iberset to. ves . 

A default value must be maintained for the field. 

The field attribute Editable must be set to “Yes”. 
The field attribute Visible must be set to “No”. 

The field attribute Editable must be set to No. 


Answer: A, C 


SS a ee 


Explanation: 


Questions 69. What is a mandatory prerequisite for creating 
business roles in Business Role Management? 

A. A condition group must be created. 

B. A role methodology must exist. 

C. A workflow approval must be configured. 

D. A role naming convention must be defined. 


Answer: B 


Explanation: 


Questions 70. Your customer wants a manager to fulfill both 
MSMP workflow agent purposes. 

How do you configure this? 

A. Maintain the manager agent twice, once for each purpose, 
using the same agent ID. 

B. Maintain the manager agent once and assign both purposes 
to it without using an agent ID. 

C. Maintain the manager agent twice, once for each purpose, 
using different agent IDs. 

D. Maintain the manager agent once and assign both purposes 
to it using the same agent ID. 

Answer: C 


Explanation: 


Questions 71. Which transaction can you use to customize 
notification templates? 

A. Change Documentation (SIT1) 

B. SAP Documentation (SE61) 

C. Message Maintenance (SE91) 

D. Documentation Message Types (WE64) 

Answer: B 

Explanation: 


Questions 72. What is the purpose of a mitigating control? 
A. To control the access that is allowed to be assigned to a 
role 

B. To determine which users are allowed to access the system 
C. To assign a compensating control to a risk 

D 1o limit the access that is allowed to be assiened to a 
user 


Answer: C 
Explanation: 


Questions 73. Which BRFplus object is used as a container 
for all other BRFplus objects? 

A. Expression 

B. Condition Group 

C. Application 

D. Function 

Answer: C 

Explanation: 


Questions 74. Which of the following tasks must you perform 
if you want to enable a user to log on to a Firefighter ID? 
A. Schedule the Firefighter Workflow Sync job periodically. 
B Run the Firefighter Log Syne job: 

C. Set up the Firefighter log configuration parameters. 

D. Create a reason code. 

Answer: D 

Explanation: 


Questions 75. Which of the following is a feature of 
centralized Emergency Access Management? 

A. Reason codes are defined once and assigned per system. 
B. The Firefighter is required to log on to each target 
system to perform Firefighter activities. 

C. The Firefighter IDs are created centrally in Access 
Controls 

D. Administration, reporting, and Firefighter logon are 
performed on target systems. 

Answer: A 

Explanation: 


Questions 76. You have added a new stage to an existing path 
and set the approval type to “Any One Approver” (A in the 


attached screenshot). Now you set the approval type to “All 
Approvers’ in the default stage details of the new stage (B 
in the attached screenshot). 

Which approval type will become effective? 


Approval Type: [Ar 
Routing Enabled: [y] 
Rule D: * [GRAC_MSMP_DETOUR_SOOVIOL (P) Additional approval if risks found 
Routing Levet * [Stage Levei v] 


Escalation Type: [No Escalation +] 


B. None 
CPA 
DA 
Answer: C 


Explanation: 


Questions 77. You want to maintain roles using Business Role 
Management. 

How do you import the roles from the back-end system? 

A. Use an SAP transport. 

B. Execute the Role Import background job directly in the 


back-end system. 

C. Use the standard import template. 

D. Execute the Role Repository Sync program. 
Answer: C 


Explanation: 


Questions 78. You want to assign an owner when creating a 
mitigating control. However, you cannot find the user you 
want to assign as an owner in the list of available users. 
What could be the reason? 

A. The user is already assigned as an owner to another 
mitigat ing controll, 

B. The workflow for creating a mitigating control has not 
yet been approved. 

C. The user is locked. 

D. The user has not been assigned as an owner in the 
organizational hierarchy. 

Answer: D 


Explanation: 


Questions 79. Which configuration parameters determine the 
content of the log generated by the SPM Log Synch job? 
(Choose three) 

Enable Risk Change log (1002) 

Enable Authorization Logging (1100) 

Retrieve System log (4004) 

Retrieve OS Command log (4006) 

Retrieve Audit log (4005) 

Answer: C, D,E 


Explanation: 


SS) a a ES 


Questions 80. Which activity can you perform when you use 
the Test and Generate options in transaction MSMP Rule 
Generation/Testing (GRFNMW DEV RULES) ? 

A. Generate and activate a BRFplus flat rule for workflow- 
related rules. 

B. Create a rule type for workflow-related rules. 

C. Create an MSMP process ID for workflow-related rules. 

D. Generate and activate function modules for workflow- 
related rules. 

Answer: D 


Explanation: 


SAP GRC Interview Questions 


Activate Access Control BC Sets 

Establish a RFC connection in the GRC-AC 10 environment to the target system 
Assign the appropriate integration scenario to enable the connection to function 
properly with Role Management 

Perform Automatic Workflow Customizing 

Default SAP GRC Roles 

Various Repository Sync 

Various kinds of data which is synchronized 

User Master Data 

Role Master Data 

Profile Master Data 

PFCG Authorization Data 

Action Usage 

Role Usage 

AC Configuration Settings 


Business Process: Categories used to classify data to report Risk Analysis results. 
Function: A grouping of one or more related actions and/or permissions for an 
activity. 

Risk: A grouping of one or more conflicting functions that presents an opportunity 
for physical loss, fraud, process disruption, or productivity loss. 

Rule: Two or more conflicting actions and/or permissions that create a risk. 


Relavent Tables for the Risk Rule Set 
Manage mitigating controls assigned to users, roles, profiles and HR objects 
Mitigation Control Assignment 


May be assigned after running risk analysis (Summary, Detail, Management 
Summary) 

Directly to a control 

During user provisioning 


Central repository for roles that are available for provisioning 
Central repository for the role approvers for each role 


Define request type 

Actions determine what occurs at the end of a request in the back-end system 
Create / Change User 

Lock / Unlock User 

Assign Object 

Activate / Inactivate 

Associate with MSMP process 

Maintain End User Personalization 

BRFplus is SAP’s native workflow engine that is utilized across SAP applications 
BRFplus Rule Decision Table 

MSMP Cofiguration 


Centralized setup of master data (owner, controllers, reason codes). 

Centralized access point when using Firefighter IDs and reporting. Firefighters no 
longer have to log onto each client. 

Controller review approval workflow 

Define Ownership 


1) Which periodic review process allows a role owner to remove roles from the users? 
A. UAR Review 

B. SoD Review 

C. Firefighter Log Review 


D. Role Certification Review 


2) You want to assign an owner when creating a mitigating control. However, you cannot find the 
user you want to assign as an owner in the list of available users. What could be the reason? 


A. The user is already assigned as an owner to another mitigating control. 
B. The workflow for creating a mitigating control has not yet been approved. 
C. The user is locked. 


D. The user has not been assigned as an owner in the organizational hierarchy. 


3) Which report types require the execution of batch risk analysis? (Choose two) 


A. Ad-hoc risk analysis reports 
B. Offline risk analysis reports 
C. User level simulation reports 
D. Access rules detail reports 


E. User and role analysis dashboards 


4) Where can you define a mitigating control? (Choose three) 
A. In the mitigating controls workset in Access Control 

B. In the rule setup in Access Control 

C. In the Access Control risk analysis result screen 

D. In the central process hierarchy in Process Control 


E. In the activity setup in Risk Management 


5) You have created a new end-user personalization (EUP) form. Where can you make use of this 
EUP form? (Choose two) 


A. Ina stage configuration of a workflow 


B. In an organizational assignment request 
C. Ina template-based request 
D. In a model user request 


E. Company 2 


6) Your customer wants to eliminate false positives from their risk analysis results. How must you 
configure Access Control to include organizational value checks when performing a risk analysis? 
(Choose two) 


A. Configure organization rules for each relevant function. 


B. Update the functions that contain each relevant action by activating the fields for the required 
permissions and maintaining a value for each specific organization. 


C. Configure organization rules for each relevant risk. 


D. Update the functions that contain each relevant action by activating the fields for the required 
permissions. 


E. Configure organization level system parameters to incorporate all organization levels for each 
relevant risk. 


7) You have maintained an end-user personalization (EUP) form and set a particular field as 
mandatory. Which additional field attribute settings are required? (Choose two) 


A. The field attribute Visible must be set to "Yes". 
B. A default value must be maintained for the field. 
C. The field attribute Editable must be set to "Yes". 
D. The field attribute Visible must be set to "No". 


E. The field attribute Editable must be set to "No". 


8) You want to maintain roles using Business Role Management. How do you import the roles from 
the back-end system? 


A. Use an SAP transport. 
B. Execute the Role Import background job directly in the back-end system. 
C. Use the standard import template. 


D. Execute the Role Repository Sync program. 


9) Which configuration parameters determine the content of the log generated by the SPM Log 
Synch job? (Choose three) 


A. Enable Risk Change log (1002) 

B. Enable Authorization Logging (1100) 
C. Retrieve System log (4004) 

D. Retrieve OS Command log (4006) 


E. Retrieve Audit log (4005) 


10) Which activity can you perform when you use the Test and Generate options in transaction 
MSMP Rule Generation/Testing (GRFNMW_DEV_RULES)? 


A. Generate and activate a BRFplus flat rule for workflow-related rules. 
B. Create a rule type for workflow-related rules. 
C. Create an MSMP process ID for workflow-related rules. 


D. Generate and activate function modules for workflow-related rules. 


11Your customer has created a custom transaction code ZFB10N by copying transaction 
FB10 and implementing a user exit. 

How can you incorporate the customer enhancement into the global rule set so that it will be 
available for Risk Analysis? 


A. Update security permissions in all relevant authorization objects, maintain the custom 
program name in all relevant functions, and generate the access rules. 

B. Update all relevant functions with ZFB10N, maintain the permission values for all relevant 
authorization objects, and generate the access rules. 

C. Update all relevant functions with ZFB10N, maintain the permission values in the relevant 
access risk, and generate the global rule set. 

D. Update the relevant access risk with ZFB10N, maintain access rules in all relevant 
functions,and generate the global rule set. 


12) What is the purpose of role mining? 

A. To consolidate roles by taking actions after running comparisons 

B. To compare authorizations by merging roles during the back-end synchronization 
C. To consolidate authorizations by merging roles in one step 

D. To compare roles by running back-end synchronizations 


Note : Role Mining : Groups features to allow 
you to target roles of interest, analyze them, and 
take action 


13) Which of the following attributes are mandatory when creating business role definition 
details in 

Business Role Management? (Choose three) 

A. Functional Area 

B. Company 

C. Landscape 

D. Project Release 

E. Application Type 


14) What information is available in the audit trail log for access rules? (Choose two) 
A. Which terminal ID the change was made from 

B. When the change was made 

C. Who made the change 

D. Who approved the change 


15) For which purpose can you use organizational value mapping? 
A. To maintain derived roles with organizational units 

B. To group roles by organization 

C. To maintain composite roles with organizational units 

D. To group users by organization 


16) SAP's GRC solution embeds GRC into the way companies do business and into every business process. 
Determine whether this statement is true or false. 
True 


False 


17) Match the key process to the closest description. 
Match items from Ist column to the corresponding item in 2nd column. 


eS) 
Access Risk Analysis Tracks, monitors and logs 
activities performed outside of 
a user's normal role 


Access Request Management 


Business Role Management| 
g Includes an expandable starter 


Emergency Access set of rules 
Management 


Automated provisioning 


Risk Terminator 
Ensures enterprise-wide 


consistent role definitions and 
maintenance 


Helps identify and prevent 
risks arising from security 
access and role changes made 
directly in a connected system 


18) Which of the following statements are true? 
Choose the correct answers. 
A Analyze and Manage Risk can utilize workflow for changes to control master data and control assignments 


B Access Request Management and Business Role Management use different tables for role information 
C Access Request Management will allow for a user to be assigned to a mitigation for a risk 


D Emergency Access Management can utilize Analyze and Manage Risk to show where a firefighter may have 
completed both sides of a SoD risk 


19) The unified compliance platform allows complete management of all risks and controls from a single 
environment. Determine whether this statement is true or false. 
True 


False 


20) You can find access violations in Process Control and mitigate them with controls that were documented 
and certified in Access Control. 
Determine whether this statement is true or false. 


True 


False 


21)The information architecture leverages the same work centers and navigation across the GRC solution rather 
than to completely separate the components. 
Determine whether this statement is true or false. 


True 


False 


22) Match the work center to its function. 
Match items from Ist column to the corresponding item in 2nd column. 


————— 
My Home Maintain GRC role 


assignments 
Setup g 


Unique to Access Control 
Access Management 
; Access Dashboards 
Reports and Analytics 


Maintain activities, processes, 
Master Data 

and controls 
Rule Setu ; ahs 
S EREE 


Scheduling 


View and act on your assigned 
tasks 


23) In which of the work centers below can you create and maintain organizations? 
Choose the correct answers. 


A Setup 
B My Home 
C Rule Setup 


D Master Data 


Ans 17) 


Access Risk Analysis 
Access Request Management 


Business Role Management 


Emergency Access 
Management 


Risk Terminator 


ANS 22) 


My Home 

Setup 

Access Management 
Reports and Analytics 


Master Data 


Rule Setup 


Includes an expandable starter 
set of rules 


Automated provisioning 


Ensures enterprise-wide 
consistent role definitions and 
maintenance 


Tracks, monitors and logs 
activities performed outside of 
a user's normal role 


Helps identify and prevent 
risks arising from security 
access and role changes made 
directly in a connected system 


View and act on your assigned 
tasks 


Unique to Access Control 


Maintain GRC role 
assignments 


Access Dashboards 


Maintain activities, processes, 
and controls 


Continuous Monitoring and 
Scheduling 


24) Uncontrolled assignment of excessive authorizations can result in users being able to initiate fraud. 


Determine whether this statement is true or false. 


True 


False 


25) Which of the following sets of activities should be segregated? 


Choose the correct answers. 
A Modify payroll master data and process payroll 


B Change employee HR benefits and process payroll 
C Enter time data and print salary statements to a secured printer 
D Modify time data and modify salary information 


26) Match the SoD Risk Management Process step to the closest description. 
Match items from Ist column to the corresponding item in 2nd column. 


rs 
Determine alternative controls 
Estimate cleanup efforts 
Verify against test users and 


ie Simulate changes to roles and 
Mitigation 
users 
Continuous Compliance a lene 
Clarify and classify risk as 


high, medium, or low 


Determine alternatives for 
eliminating risks 


27) Bettina has the system authorizations to create anad approve a purchase order and issues payments to 
vendors. Does this constitute a risk? 
Choose the correct answers. 


AYes 
BNo 
28) Fritz has the authorization to process payroll. While his colleague is on leave, he will assume her 


responsibilities of adding new hires to the system. Does this constitute a risk? 
Determine whether this statement is true or false. 


True 
False 


29)Which of the following items combine to form a rule? 
Choose the correct answers. 


A Rule Set 
B Functions 
CBusiness Rules 


DRisks 


30)Match the term to the closest description. 
Match items from Ist column to the corresponding item in 2nd column. 


Business Process Business area categories 


Function Allows a user to perform a 
Risk particular activity ina system 


. Create Purchase Order 
Action 


A grouping of one or more 
related actions or permissions 


Permission 


Syst 
YSE Where risk analysis is 


performed 


An opportunity for process 
disruption or productivity loss 


31) What is the purpose of the tasks performed during Phase Two of the SoD Risk Management process 
(Analyzing, Remediating, and Mitigating Risk)? 

Choose the correct answers. 

A Identify authorization risks in business processes 

B Build and validate rules 

C Provide business process analysts and owners with alternatives for correcting or eliminating risks 

D Ensure ongoing compliance 


32) Remediation is required when you cannot create appropriate mitigation controls. 
Determine whether this statement is true or false. 


True 


False 


33) Continuous compliance involves maintaing compliance and segregation of duties in an ongoing fashion. 
Choose the correct answers. 


ATrue 


BFalse 


26) ANSWER BELOW 


Business Process Business area categories 


Function A grouping of one or more 


. related actions or permissions 
Risk P 
: An opportunity for process 
Action : y P . 
disruption or productivity loss 


Permission 
Create Purchase Order 


System 


Allows a user to perform a 
particular activity in a system 


Where risk analysis is 
performed 


34) Which of the following statements are true about the GRC 10.0 Architecture and landscape? 
Choose the correct answers. 


A Access Control, Process Control and Risk Management are contained in one ABAP add-on called 
GRCFND_A 


B Access Control, Process Control and Risk Management are contained in three ABAP add-ons called 
GRCFND_A, GRCFND_R, and GRCFND_P 


C Content Lifecycle Management (CLM) contains functions for transporting GRC business data, for example 
AC Rules or PC Controls 


D GRC configuration/customizing is transported using the standard ABAP transport system 


35) You can only access the GRC front end via the NetWeaver Business Client 3.0 (NWBC). 
Determine whether this statement is true or false. 


True 


False 


36) Which of the following common components are shared with Process Control and Risk Management? 
Choose the correct answers. 


A Master Data 

B Workflow 

C Role Mining 

D Superuser Access Management 


E Reports and Dashboards 


37) The ABAP database is the common repository for all Access Control data. 
Determine whether this statement is true or false. 


True 
False 
34)A,C,D 35)B 36)A,B,E 37)A 


38) Object-level security allows you to limit access by: 
Choose the correct answers. 


A Function 

B Risk 

C User 

D Any authorization objects available in Firefighter 

E Any authorization objects available in Role Maintenance 


39) To access GRC 10.0 solutions, you must have either Portal or NWBC authorization. 
Determine whether this statement is true or false. 


True 


False 


40) If you use Access Control 10.0 with other GRC solutions, you can leverage this functionality to: 
Choose the correct answers. 


A Manage PFCG roles used with GRC 

B Create Process Control or Risk Management users 
C Assign GRC PFCG roles to users 

D Perform SoD analysis for PFCG role authorizations 
E Perorm SoD analysis for entity-level authorization 


38) A,B,C,E 39) A 40) A,B,C,D 


41) Connectors connect systems to each other and connection types indicate the type of system, such as Web 
Service, SAP, or File. 
Determine whether this statement is true or false. 


True 


False 


42) Which of the following Integration scenarios apply to Access Control? 
Choose the correct answers. 


A AUTH 

B PROV 

C RISKMG 

D ROLMG 

E SUPMG 

43) Creating connectors is a Customizing activity that allows you to create Remote Function Call (RFC) 


destinations. 
Determine whether this statement is true or false. 


A True 
B False 
44) RFC is an interface for communication between SAP client and server to external programs and data, and 


can enable function calls to SAP systems or external systems. 
Choose the correct answers. 


A True 


B False 


45) In Business Role Management, which of the following actions are associated wth the four phases for which 
you need to assign a connector? 
Choose the correct answers. 


A Role Generation 

B Role Risk Analysis 

C Authorization Maintenance 
D Provisioning 

E Superuser Designation 


F HR Triggers 


46) Match the Customizing activity to the statement that best describes its purpose. 
Match items from Ist column to the corresponding item in 2nd column. 


Maintain Connector Group Active or Not Active 


Status 
Map a user personnel number 


Assign Default Connector as the email in Access Control 
Assign Group Field Mapping For provisioning into SPML1.0- 


3 compliant systems, such as 
Assign Group Parameter IDM or SAP EP 
Mapping 


Specify the system Access 
Control will use to 
authenticate users and roles 


Maintain Plug-In Settings 


Assign actions to a connector 
group and set the default 


47) Business processes and subprocesses are attributes that you can assign to specific roles. 
Determine whether this statement is true or false. 


True 


False 


48) BC sets are used for Customizing entries in Access Control. 
Determine whether this statement is true or false. 


True 


False 


49) You must activate BC sets in clusters for each IMG node. 
Determine whether this statement is true or false. 


True 


False 


Answer for 46 


p 
Maintain Connector Group 
Status 


Assign Default Connector 
Assign Group Field Mapping 


Assign Group Parameter 
Mapping 


Maintain Plug-In Settings 


Active or Not Active 


Assign actions to a connector 
group and set the default 


Map a user personnel number 
as the email in Access Control 


For provisioning into SPML1.0- 
compliant systems, such as 
IDM or SAP EP 


Specify the system Access 
Control will use to 
authenticate users and roles 


50) Identify the order in which synchronization jobs should be completed. 
Match items from Ist column to the corresponding item in 2nd column. 


Action Usage Sync 

Repository Object Sync 

Role Usage Sync 

PFCG Authorization Sync 

51) Which transaction do you execute to run program GRAC_PFCG_AUTHORIZATION_SYNC? 


In which of the following modes can the program GRAC_REPOSITORY_OBJECT_SYNC be executed? 
Choose the correct answers. 


A Full Sync Mode 

B Partial Sync Mode 

C Incremental Sync Mode 
D Sequential Sync Mode 


52) Which of the following programs are included in Repository Object Sync? 
Choose the correct answers. 


A GRAC_ROLEREP_PROFILE_SYNC 
B GRAC_ROLEREP_ROLE_SYNC 
C GRAC_ROLEREP_OWNR_SYNC 


D GRAC_ROLEREP_USER_SYNC 


53) Which of the following usage types are synchronized with the Access Control Repository? 
Choose the correct answers. 


A User 
B Action 
C Log 


D Role 


54) Which transaction is used to define background jobs? 


Choose the correct answers. 
A SM59 


BSM63 
C SM24 
D SM36 


55) Which Start Condition must be selected in order to schedule periodic jobs? 
Choose the correct answers. 


A Immediate 
B Date/Time 
C After Job 


D After EvenT 


56) Which of the following statements are true about BRFplus rule types? 
Choose the correct answers. 


A BRFplus rules can evaluate a request, including individual line items, but the request will stay intact as a 
whole 


B BRFplus rules can evaluate a request, but not the individual line items, and the request will stay intact as a 
whole 


C BRFplus Flat Rules can evaluate individual line items, but cannot direct each line individually 
D BRFplus Flat Rules can evaluate individual line items and can direct each line individually 


57) BRFplus is a Business Rules Management System for ABAP applications. 
Determine whether this statement is true or false. 


True 


False 


58) Match the term with its closest definition. 
Match items from Ist column to the corresponding item in 2nd column. 


= 
Application A container for other BRFplus 


: objects 
Function 
Business rules service 
Rulesets i 
interface 


Expression j F 
Collection of business rules 


Decision Table or Decision 
Tree 


59) There can only be one of these rules for each Process ID in MSMP configuration. 
Choose the correct answers. 


A Initiator Rule 
B Agent Rule 
C Routing Rule 


D Service Level Agreements Rule 


60) To begin setting up a workflow-related MSMP rule, first create the decision table and then create the 
BRFplus objects. 
Determine whether this statement is true or false. 


True 


False 


61) Which application components can share a common organization hierarchy? 
Choose the correct answers. 


A Access Control and Process Control only 

B Access Control and Risk Management only 

C Process Control and Risk Management only 

D Access Control, Process Control, and Risk Management 


62) From which Access Control work center can you view the organization hierarchy? 
Determine whether this statement is true or false. 


True 


False 


63) Mitigating controls are stored in separate locations for Access Control, Process Control, and Risk 
Management. 
Determine whether this statement is true or false. 


True 


False 


64) Which of the following are ways to create a mitigating control within GRC 10.0? 
Choose the correct answers. 


A Directly within Access Control 

B When you execute a User Risk Analysis 

C From the User Risk Analysis result view 

D From Process Control within Business Processes 
E From Process Control within Rule Setup 


65) Which of the following parameter groups are configured for Analyze and Manage Risk? 
Choose the correct answers. 


A Change Log 
B Mitigation 

C Risk Analysis 
D Workflow 


E Superuser Management 


66) When uploading SoD rules, you must append and not overwrite existing data. 
Determine whether this statement is true or false. 


True 
False 


67) Which of the following are allowable actions when managing SoD rules? 
Choose the correct answers. 


A Generate SoD rules 
B Delete SoD rules 

C Segregate SoD rules 
D Transport SoD rules 


68) Functions are the building blocks for risks, so any changes in functions will have a direct effect on the 
access rule set. 
Determine whether this statement is true or false. 


True 
False 


69).The addition of new functions or changes to existing functions must use the standard workflow for 
approvals. 
Determine whether this statement is true or false. 


True 
False 


70) Which of the following can be viewed in a Change Log report? 
Choose the correct answers. 


A Old and New values 
B The person who made the changes 
C The date the changes were made 


D Configuration parameters for component tracking 


71)You can run only one risk analysis at a time. 
Determine whether this statement is true or false. 


True 
False 


72) In areport, you can drill down on functions to see the user ID of the user who modified a risk. 
Determine whether this statement is true or false. 


True 
False 


73) In which order should you perform the following remediation steps? 
Match items from Ist column to the corresponding item in 2nd column. 


Analyze access rights for individual users 
Identify risks in composite roles 


Identify risks in single roles 


74) The purpose of remediation is to correct or eliminate SoD violations. 
Determine whether this statement is true or false. 


True 
False 


75) Multiple systems can be chosen while creating a mitigating control. 
Determine whether this statement is true or false. 


True 
False 


76) With system-specific mitigation, if User 1 is mitigated for Risk A in three systems, then User 2 must be 
mitigated for Risk A in the same three systems. 
Determine whether this statement is true or false. 


True 
False 


77) Which of the following are true statements? 
Choose the correct answers. 


A Mass Mitigation allows you to mitigate multiple risks at once while viewing an Access Risk Analysis report. 
B Mass Mitigation is not available for customers that do not use System Level Mitigation 
C Mass Mitigation is available for customers that do not use Rule ID Level Mitigation 


D Mass Mitigation increases the risk of user error 


78) A wild card (*) in the System field means that the mitigation assignment applies to all systems. 
Determine whether this statement is true or false. 


True 
False 


79) Match the term and its correct description. 
Match items from Ist column to the corresponding item in 2nd column. 
CORRECT ANS BELOW 


Firefighter A user requiring emergency 


Firefighter ID oe 


A user ID with elevated 
Owner as 
privileges 
Controller a 
A user reponsible for a 
Firefighter ID and the 
assignment of controllers and 


firefighters 


A user that reviews and 
approves log files 


80) Which of the following are valid Firefighter Application Types? 
Choose the correct answers. 


A Role Based Firefighter Application 
B Function Based Firefighter Application 
C ID Based Firefighter Application 


D Owner Based Firefighter Application 


81) The purpose of EAM is to allow users to take responsibility for tasks outside their normal job function by 
allowing temporary broad, but regulated, access. 
Determine whether this statement is true or false. 


True 
False 


82) In ID Based scenarios, firefighters must logon to individual client systems to do firefighting. 
Determine whether this statement is true or false. 


True 
False 


83)Before firefighters can do centralized firefighting, EAM must be configured in the IMG with an Application 
Type of 1 for Parameter 4000. 
Determine whether this statement is true or false. 


True 
False 


84)In which order must the following steps be performed to configure a Firefighter ID? 
Match items from Ist column to the corresponding item in 2nd column. 


Create Reason Codes 
Maintain Access Control Owners 
Assign a Firefighter ID to Controllers and Firefighters 


Assign an owner to a Firefighter ID 


85)It is mandatory for a Firefighter ID /Firefighter Role to be assigned to the owner before further assignments 
are made, such as for Firefighter Controller. 
Determine whether this statement is true or false. 


True 
False 


86) Only one firefighter can be assigned to a single ID/role. 
Determine whether this statement is true or false. 


True 
False 


87) The assignment for all systems to which the ID/role has access is done from the Setup work center. 
Determine whether this statement is true or false. 


True 
False 


88) Where do you maintain reason codes? 
Choose the correct answers. 


A In the Setup work center under Superuser Maintenance 
B In the ABAP client 
C In the Setup work center under Superuser Assignment 


D In the remote client system 


89) Where do you execute a Firefight session? 
Choose the correct answers. 


Aln the Setup work center under Superuser Maintenance 
BIn the ABAP client 
CIn the Setup work center under Superuser Assignment 


DIn the remote client system 


90) One reason code can be created and assigned to multiple client systems. 
Determine whether this statement is true or false. 


True 
False 


91) 


Match the report type to its purpose. 
Match items from Ist column to the corresponding item in 2nd column. 


System Log Captures Debug & Replace 

Consolidated Log Report information from transaction 
SM21 

iia stint ees del Provides information based on 


Firefighter Log Summary logs from the remote system 


SoD Conflict Report for Provides details of all users 
Firefighter ID who are either expired, locked, 


or deleted 


Provides session details 
logged by the firefighter in the 
remote system for the ID 
Based application 


Provides transactions 
performed with a FFID that 
violate access risk rules in the 
remote system 


92) A plug-in handles the procedure for getting data from the client system by fetching the data and then 
filtering it into a readable format. 
Determine whether this statement is true or false. 


True 
False 


93)Log Collector fetches data from the remote client system. 
Determine whether this statement is true or false. 


True 
False 


94) The Log Collection job must be executed in the background. 
Determine whether this statement is true or false. 


True 
False 


Question from sapexam.com 


Sample Questions: 


01. How do you enable manual provisioning in Access Control? 
Note: Please choose the correct answer. 

a) Maintain the relevant plug-in settings. 

b) Maintain the relevant global settings. 

c) Maintain the end-user personalization form. 

d) Maintain the "Override Assign Type" MSMP task setting. 


02. Your customer wants to eliminate false positives from their risk analysis 
results. How must you configure Access Control to include organizational value 
checks when performing a risk analysis? 

Note: There are 2 correct answers to this question. 

a) Configure organization rules for each relevant function. 

b) Update the functions that contain each relevant action by activating the fields for the 
required permissions and maintaining a value for each specific organization. 

c) Configure organization rules for each relevant risk. 

d) Update the functions that contain each relevant action by activating the fields for the 
required permissions. 

e) Configure organization level system parameters to incorporate all organization levels 
for each relevant risk. 


03. You want request details to be sent to specific users automatically using a 
custom notification. What do you have to do to enable this? 

Note: There are 2 correct answers to this question. 

a) Assign a document object to a message class. 

b) Enable e-mail reminders for the required users. 

c) Define a stage in MSMP workflow. 

d) Define a notification message using the required variables. 


04. You have created a new end-user personalization (EUP) form. Where can 
you make use of this EUP form? 

Note: There are 2 correct answers to this question. 

a) In a stage configuration of a workflow 

b) In an organizational assignment request 

c) In a template-based request 

d) In a model user request 


05. Which of the following objects can you use as an agent type to define 
approvers assigned to a workflow stage in MSMP workflow? 

Note: There are 3 correct answers to this question. 

a) PFCG User Groups 

b) GRC BAPI Rules 

c) User Group for Authorization Check 

d) Directly Mapped Users 

e) PFCG Roles 


06. Where can you define a mitigating control? 


Note: There are 3 correct answers to this question. 

a) In the mitigating controls workset in Access Control 
b) In the rule setup in Access Control 

c) In the Access Control risk analysis result screen 

d) In the central process hierarchy in Process Control 
e) In the activity setup in Risk Management 


07. What information is mandatory when you define an initiator or routing rule 
in the Maintain Rules work area? 

Note: Please choose the correct answer. 

a) Rule Result Value 

b) Notification Variable 

c) Route Mapping 

d) Variable Description 


08. Which report types require the execution of batch risk analysis? 
Note: There are 2 correct answers to this question. 

a) Ad-hoc risk analysis reports 

b) Offline risk analysis reports 

c) User level simulation reports 

d) Access rules detail reports 

e) User and role analysis dashboards 


09. You have created a connector to use Access Control for access request 
management.What does SAP recommend regarding the assignment of 
integration scenarios to this connector? 

Note: Please choose the correct answer. 

a) Assign the Provisioning (PROV) integration scenario to the connector. 

b) Assign all four Access Control integration scenarios to the connector. 

c) Assign the Role Management (ROLMG) integration scenario to the connector. 

d) Assign the Authorization Management (AUTH) integration scenario to the connector. 


10. You want to assign an owner when creating a mitigating control. However, 
you cannot ind the user you want to assign as an owner in the list of available 
users. What could be the reason? 

Note: Please choose the correct answer. 

a) The user is already assigned as an owner to another mitigating control. 

b) The workflow for creating a mitigating control has not yet been approved. 

c) The user is locked. 

d)The user has not been assigned as an owner in the organizational hierarchy. 


11. Which of the following roles delivered by SAP can you use to grant access to 
Emergency Access Management? 

Note: Please choose the correct answer. 

a) SAP_GRAC_END_USER 

b) SAP_GRAC_SUPER_USER_MGMT_USER 


c) SAP_GRAC_SPM_FFID 
d) SAP_GRAC_RULE_SETUP 


12. Which periodic review process allows a role owner to remove roles from the 
users? 

Note: Please choose the correct answer. 

a) UAR Review 

b) SoD Review 

c) Firefighter Log Review 

d) Role Certification Review 


13. Which transaction do you use to synchronize transactions and their 
descriptions in the Access Control repository? 

Note: Please choose the correct answer. 

a) Role Usage Synchronization (GRAC_ROLE_USAGE_SYNC) 

b) Profile Synchronization (GRAC_PROFILE_SYNC) 

c) Repository Object Synchronization (GRAC_REP_OBJ_SYNC) 

d) Authorizations Synchronization (GRAC_AUTH_SYNC) 


14. What is the difference between an SoD risk and a critical action risk? 

Note: Please choose the correct answer. 

a) An SoD risk is comprised of two or more conflicting functions, while a critical action 
risk is comprised of one function. 

b) An SoD risk is comprised of one function, while a critical action risk is comprised of 
two or more actions that conflict within a function. 

c) An SoD risk is comprised of two or more conflicting permissions, while a critical action 
risk is comprised of two or more permissions that conflict within a function. 

d) An SoD risk is comprised of actions in one function, while a critical action risk is 
comprised of two or more conflicting functions. 


15. Which risk analysis reports must be executed in the background? 
Note: There are 2 correct answers to this question. 

a) Role level simulation with "Include Users" as an additional criterion 

b) User level risk analysis with "Show All Objects" as an additional criterion 
c) Offline risk analysis 

d) Role level risk analysis with "Show All Objects" as an additional criterion 


16. Which workflow-related MSMP rule kinds can you create in BRFplus? 


Note: There are 3 correct answers to this question. 
a) Notification variables rule 

b) Detour rule 

c) Process rule 

d) Routing rule 

e) Agent rule 


17. What is a purpose of the Access Rule Maintenance workset? 
Note: Please choose the correct answer. 

a) To set up specific access risk rules to reflect company policies 

b) To delete a table structure from the rule set 

c) To maintain the rule set so that you can combine rules to build risks 
d) To tie actions to risks so that you can combine them to build functions 


18. You have created a custom role methodology for your firefight-related 
security roles. However, when you create a specific firefight-related security 
role, the expected methodology is not applied. What could be the reason? 
Note: Please choose the correct answer. 

a) The BRFplus decision table does not contain the appropriate condition. 

b) The role methodology is not assigned to an organizational value map. 

c) The condition group is not assigned to a role prerequisite. 

d) The Direct Value Input method was used for the condition column. 


19. When is a BRFplus Routing rule triggered? 
Note: Please choose the correct answer. 

a) During workflow processing 

b) During BRFplus decision table activation 

c) During workflow configuration 

d) During BRFplus rule configuration 
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Damn Sure Questions in GRC AC 10 Certification 
Exam(C_GRCAC_10) 


NO.1 Your customer has created a custom transaction code ZFB10N by copying 
transaction FB10 

and implementing a user exit. 

How can you incorporate the customer enhancement into the global rule set so 
that it will be 

available for Risk Analysis? 


A. Update security permissions in all relevant authorization objects, maintain the custom 
program 

name in all relevant functions, and generate the access rules. 

B. Update all relevant functions with ZFB10N, maintain the permission values for all 
relevant 


authorization objects, and generate the access rules. 

C. Update all relevant functions with ZFB10N, maintain the permission values in the 
relevant 

access risk, and generate the global rule set. 

D. Update the relevant access risk with ZFB10N, maintain access rules in all relevant 
functions, 

and generate the global rule set. 

Answer: B 


NO.2 Which of the following objects can you maintain in the "Maintain Paths" 
work area of MSMP workflow configuration? (Choose three) 

A. Paths 

B. Path versions 

C. Rules for path mappings 

D. Stage notification settings 

E. Stages 

Answer: A,D,E 


NO.3 Which configuration parameters determine the content of the log 
generated by the SPM Log 

Synch job? (Choose three)? 

A. Enable Risk Change log (1002) 

B. Enable Authorization Logging (1100) 

C. Retrieve System log (4004) 

D. Retrieve OS Command log (4006) 

E. Retrieve Audit log (4005) 

Answer: C,D,E 


NO.4 Your customer wants to eliminate false positives from their risk analysis 
results. 

How must you configure Access Control to include organizational value checks 
when performing a 

risk analysis? (Choose two)?\ 


A. Configure organization rules for each relevant function. 

B. Update the functions that contain each relevant action by activating the fields for the 
required 

permissions and maintaining a value for each specific organization. 

C. Configure organization rules for each relevant risk. 

D. Update the functions that contain each relevant action by activating the fields for the 
required 

permissions. 

E. Configure organization level system parameters to incorporate all organization levels 
for each 

relevant risk. 


Answer: C,D 


NO.5 What do you mitigate using Access Control? 
A. Roles 

B. Users 

C. Risks 

D. Functions 

Answer: C 


NO.6 Your customer wants a manager to fulfill both MSMP workflow agent 
purposes. 


How do you configure this? 


A. Maintain the manager agent twice, once for each purpose, using the same agent ID. 
B. Maintain the manager agent once and assign both purposes to it without using an 
agent ID. 

C. Maintain the manager agent twice, once for each purpose, using different agent IDs. 
D. Maintain the manager agent once and assign both purposes to it using the same 
agent ID. 

Answer: C 


NO.7 You have identified some risks that need to be defined as cross-system 
risks. How do you 

configure your system to enable cross-system risk analysis? 

A. 1. Set the analysis scope of the function to cross-system. 

2. Create cross-system type connectors. 

. Assign the corresponding connectors to the appropriate connector group. 
. Generate rules. 

. 1. Set the analysis scope of the risk to cross-system. 

. Create cross-system type connectors. 

. Assign the corresponding connectors to the appropriate connector group. 
. Generate rules. 

. 1. Set the analysis scope of the risk to cross-system. 

. Create a cross-system type connector group. 

. Assign the corresponding connectors to the connector group. 

. Generate rules. 

. 1. Set the analysis scope of the function to cross-system. 

. Create a cross-system type connector group. 

. Assign the corresponding connectors to the connector group. 

. Generate rules. 

Answer: D 
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NO.8 What does assigning the Logical Group (SOD-LOG) type to a connector 
group allow you to do? 

A. Run a cross-system analysis. 

B. Use the connector group for transports to the target system. 

C. Monitor the target system. 

D. Use the connector group as a business role management landscape. 

Answer: D 


NO.9 Who approves the review of the periodic segregation of duties? 
A. Mitigation monitors 

B. Role owners 

C. Mitigation approvers 

D. Risk owners 

Answer: D 


NO.10 How are lines and columns linked in a BRFplus initiator decision table? 
A. A column to a column through a logical OR 

B. A column to a line through a logical OR 

C. A column to a column through a logical AND 

D. A line to a line through a logical AND 

Answer: C 


NO.8 What does assigning the Logical Group (SOD-LOG) type to a connector 
group allow you to do?A. Run a cross-system analysis. ? 

B. Use the connector group for transports to the target system. 

C. Monitor the target system. 


D. Use the connector group as a business role management landscape. 
Answer: D 


NO.9 Who approves the review of the periodic segregation of duties? 
A. Mitigation monitors 

B. Role owners 

C. Mitigation approvers 

D. Risk owners 

Answer: D 


NO.10 How are lines and columns linked in a BRFplus initiator decision table? 
A. A column to a column through a logical OR 

B. A column to a line through a logical OR 

C. A column to a column through a logical AND 

D. A line to a line through a logical AND 

Answer: C 


NO.11 Which periodic review process allows a role owner to remove roles from 
the users? 


A. UAR Review 

B. SoD Review 

C. Firefighter Log Review 
D. Role Certification Review 


Answer:A 


NO.12 You want to assign an owner when creating a mitigating control. 
However, you cannot find the user you want to assign as an owner in the list of 
available users. What could be the reason? 


A. The user is already assigned as an owner to another mitigating control. 

B. The workflow for creating a mitigating control has not yet been approved. 

C. The user is locked. 

D. The user has not been assigned as an owner in the organizational hierarchy. 


Answer:D 


NO.13 Which report types require the execution of batch risk analysis? (Choose 
two)? 

A. Ad-hoc risk analysis reports 

B. Offline risk analysis reports 

C. User level simulation reports 

D. Access rules detail reports 

E. User and role analysis dashboards 


Answer:B,E 

NO.14 Where can you define a mitigating control? (Choose three)? 
A. In the mitigating controls workset in Access Control 

B. In the rule setup in Access Control 

C. In the Access Control risk analysis result screen 

D. In the central process hierarchy in Process Control 

E. In the activity setup in Risk Management 


Answer:A,C,D 


NO.15 You have created a new end-user personalization (EUP) form. Where can 
you make use of this EUP form? (Choose two)? 


A. In a stage configuration of a workflow 
B. In an organizational assignment request 
C. In a template-based request 

D. In a model user request 

E. Company 2 


Answer: A, C 


NO.16 You have maintained an end-user personalization (EUP) form and set a 
particular field as mandatory. Which additional field attribute settings are 
required? (Choose two)? 


A. The field attribute Visible must be set to "Yes". 
B. A default value must be maintained for the field. 
C. The field attribute Editable must be set to "Yes". 
D. The field attribute Visible must be set to "No". 
E. The field attribute Editable must be set to "No". 


Answer: A, C 


NO 17.You want to maintain roles using Business Role Management. How do 
you import the roles from the back-end system? 


A. Use an SAP transport. 

B. Execute the Role Import background job directly in the back-end system. 
C. Use the standard import template. 

D. Execute the Role Repository Sync program 


Answer: C 


NO 18 Which activity can you perform when you use the Test and Generate 
options in transaction MSMP Rule Generation/Testing (GRFNMW_DEV_RULES)? 


A. Generate and activate a BRFplus flat rule for workflow-related rules. 
B. Create a rule type for workflow-related rules. 

C. Create an MSMP process ID for workflow-related rules. 

D. Generate and activate function modules for workflow-related rules. 


Answer: D 


NO 19 You want to assign an owner when creating a mitigating control. 
However, you cannot find the user you want to assign as an owner in the list of 
available users. 

What could be the reason? 


A. The user is already assigned as an owner to another mitigating control. 

B. The workflow for creating a mitigating control has not yet been approved. 
C. The user is locked. 

D. The user has not been assigned as an owner in the organizational hierarchy. 


Answer: D 


Your customer has created a custom transaction code ZFB10N by copying transaction FB10 
and implementing a user exit. 

How can you incorporate the customer enhancement into the global rule set so that it will be 
available for Risk Analysis? 


A. Update security permissions in all relevant authorization objects, maintain the custom 
program 

name in all relevant functions, and generate the access rules 

B. Update all relevant functions with ZFB10N, maintain the permission values for all relevant 
authorization objects, and generate the access rules 

C. Update all relevant functions with ZFB10N, maintain the permission values in the relevant 
access risk, and generate the global rule set 

D. Update the relevant access risk with ZFB10N, maintain access rules in all relevant functions, 
and generate the global rule set 


Answer: B 


Which of the following objects can you maintain in the "Maintain Paths" work area of MSMP 
workflow configuration? (Choose three) 

A. Paths 

B. Path versions 

C. Rules for path mappings 

D. Stage notification settings 

E. Stages 

Answer: A,D,E 


Which configuration parameters determine the content of the log generated by the SPM Log 
Synch job? (Choose three)? 

A. Enable Risk Change log (1002) 

B. Enable Authorization Logging (1100) 

C. Retrieve System log (4004) 

D. Retrieve OS Command log (4006) 

E. Retrieve Audit log (4005) 

Answer: C,D,E 


Your customer wants to eliminate false positives from their risk analysis results. 
How must you configure Access Control to include organizational value checks when performing 


a 
risk analysis? (Choose two)? 


A. Configure organization rules for each relevant function 

B. Update the functions that contain each relevant action by activating the fields for the 
required permissions and maintaining a value for each specific organization 

C. Configure organization rules for each relevant risk 

D. Update the functions that contain each relevant action by activating the fields for the 
required permissions 

E. Configure organization level system parameters to incorporate all organization levels for each 
relevant risk 


Answer: C,D 


What do you mitigate using Access Control? 
A. Roles 

B. Users 

C. Risks 

D. Functions 

Answer: C 


Your customer wants a manager to fulfill both MSMP workflow agent purposes. 
How do you configure this? 


A. Maintain the manager agent twice, once for each purpose, using the same agent ID 

B. Maintain the manager agent once and assign both purposes to it without using an agent ID 
C. Maintain the manager agent twice, once for each purpose, using different agent IDs 

D. Maintain the manager agent once and assign both purposes to it using the same agent ID 
Answer: C 


You have identified some risks that need to be defined as cross-system risks. How do you 
configure your system to enable cross-system risk analysis? 

A. 1. Set the analysis scope of the function to cross-system 

2. Create cross-system type connectors 

3. Assign the corresponding connectors to the appropriate connector group 

4. Generate rules 


B. 1. Set the analysis scope of the risk to cross-system 

2. Create cross-system type connectors 

3. Assign the corresponding connectors to the appropriate connector group 
4. Generate rules 


10. 


11. 


12. 


C. 1. Set the analysis scope of the risk to cross-system 

2. Create a cross-system type connector group 

3. Assign the corresponding connectors to the connector group 
4. Generate rules 


D. 1. Set the analysis scope of the function to cross-system 

2. Create a cross-system type connector group 

3. Assign the corresponding connectors to the connector group 
4. Generate rules 

Answer: D 


What does assigning the Logical Group (SOD-LOG) type to a connector group allow you to do? 
A. Run a cross-system analysis 

B. Use the connector group for transports to the target system 

C. Monitor the target system 

D. Use the connector group as a business role management landscape 

Answer: D 


Who approves the review of the periodic segregation of duties? 
A. Mitigation monitors 

B. Role owners 

C. Mitigation approvers 

D. Risk owners 

Answer: D 


How are lines and columns linked in a BRFplus initiator decision table? 
A. Acolumn to a column through a logical OR 

B. Acolumn to a line through a logical OR 

C. Acolumn to a column through a logical AND 

D. A line to a line through a logical AND 

Answer: C 


Which periodic review process allows a role owner to remove roles from the users? 
A. UAR Review 

B. SOD Review 

C. Firefighter Log Review 

D. Role Certification Review 

Answer:A 


You want to assign an owner when creating a mitigating control. However, you cannot find the 
user you want to assign as an owner in the list of available users. What could be the reason? 


13. 


14. 


15. 


16. 


A. The user is already assigned as an owner to another mitigating control 

B. The workflow for creating a mitigating control has not yet been approved 
C. The user is locked 

D. The user has not been assigned as an owner in the organizational hierarchy 
Answer:D 


Which report types require the execution of batch risk analysis? (Choose two)? 
A. Ad-hoc risk analysis reports 

B. Offline risk analysis reports 

C. User level simulation reports 

D. Access rules detail reports 

E. User and role analysis dashboards 

Answer:B,E 


Where can you define a mitigating control? (Choose three)? 


A. Inthe mitigating controls workset in Access Control 
B. In the rule setup in Access Control 

C. In the Access Control risk analysis result screen 

D. In the central process hierarchy in Process Control 
E. In the activity setup in Risk Management 
Answer:A,C,D 


You have created a new end-user personalization (EUP) form. Where can you make use of this 


EUP form? (Choose two)? 


A. In a stage configuration of a workflow 
B. In an organizational assignment request 
C. Ina template-based request 

D. In a model user request 

E. Company 2 

Answer: A, C 


You have maintained an end-user personalization (EUP) form and set a particular field as 
mandatory. Which additional field attribute settings are required? (Choose two)? 


A. The field attribute Visible must be set to "Yes" 
B. A default value must be maintained for the field 
C. The field attribute Editable must be set to "Yes" 
D. The field attribute Visible must be set to "No" 

E. The field attribute Editable must be set to "No" 
Answer: A, C 


17. 


18. 


19. 


20. 


You want to maintain roles using Business Role Management. How do you import the roles from 
the back-end system? 


A. Use an SAP transport 

B. Execute the Role Import background job directly in the back-end system 
C. Use the standard import template 

D. Execute the Role Repository Sync program 

Answer: C 


Which activity can you perform when you use the Test and Generate options in transaction 
MSMP Rule Generation/Testing (GRFNMW_DEV_RULES)? 


A. Generate and activate a BRFplus flat rule for workflow-related rules 
B. Create a rule type for workflow-related rules 

C. Create an MSMP process ID for workflow-related rules 

D. Generate and activate function modules for workflow-related rules 
Answer: D 


You want to assign an owner when creating a mitigating control. However, you cannot find the 
user you want to assign as an owner in the list of available users. 
What could be the reason? 


A. The user is already assigned as an owner to another mitigating control 

B. The workflow for creating a mitigating control has not yet been approved 
C. The user is locked 

D. The user has not been assigned as an owner in the organizational hierarchy 
Answer: D 


You are considering the use of business rules framework to manage the automation of the 
definition and maintenance of roles in your system landscape. Which of the following rules is 
directly supported in business role management? 

Note: There are 2 correct answers to this question. 


HR Triggers 

Role Methodology 
User defaults 

Role Approver 


VUOWD> 


Answer: B, D 

Business role methodology rule and business role management approver rule are directly 
related to business role management. The methodology rules allow you to define a 
methodology process while the approver rule allows you to derive default approvers based on 


parameters in the business rules framework. Even though HR triggers and user default rules are 
supported by business rules framework, they are not applicable to business roles management. 
Other rules that are supported by business rules framework includes: initiator rule, agent rule, 
routing rule, service level agreements, user defaults, request mitigation policy, request multiple 
rule set and HR Trigger 


21. Which of the following is CORRECT about the conditions evaluated for an initiator rule by 
BRFplus engine? 

Please choose the correct answer. 

A. It must be unique. 

B. It must be in upper case. 

C. It must be blank. 

D. It must be a number. 

Answer: A 

Initiator rules are used to determine the initial route of a request in the workflow process. 
Ideally, the initiator rule should evaluate to a value that is unique. This is to forestall 
unambiguous result or issues in the workflow process. There is no specific requirement that 
states that the initiator rule should evaluate to a particular letter case or number. However, you 
can have multiple conditions that return the same value. 


22. You have a business requirement to build a rule that will determine the initial routing of a 
request for two different production systems (e.g. SAP ECC and SAP BW). Which type of rule will 
you use to build it? 

Please choose the correct answer. 

A. BRFplus 

B. BRFPlus Flat rule 

C. ABAP Program 

D. Routing rule 

Answer: B 

You will need to use a BRFplus flat rule to create an initiator rule for this purpose. This is 
because a BRFplus flat rule can analyze individual line item and return a specific rule result for 
each of those lines. Whilst options A and C are rule types which could be used, they are not as 
appropriate for this use case. BRFplus rules evaluate the whole input context and return a single 
result which requires much more complex rule definition. ABAP programs require development 
and are inflexible from a maintenance perspective. Option D — routing rule is a rule kind rather 
than a rule type which can be called from a workflow which is in process. It cannot be used as an 
initial trigger for starting a workflow path 


23. Which of the following are rule types used in MSMP workflow? (Choose three) 
A. Web Service rule 

B. ABAP Class-Based rule 

C. Function Module-Based rule 

D. BRFplus rule 

E. ABAP User Exit-Based rule 

Answer: B,C,D 


24. What data is synchronized when you run the GRAC_REPOSITORY_OBJECT_SYNC report? 


(Choose three) 

A. Profiles 

B. Roles 

C. Role usage 

D. PFCG authorizations 
E. Users 

Answer: A,B,E 


25. Which of the following jobs do you have to schedule to collect Firefighter session 
information? 

A. GRAC_SPM_LOG_ARCHIVING 

B. GRAC_SPM_WORKFLOW_SYNC 

C. GRAC_SPM_LOG_SYNC_UPDATE 

D. GRAC_SPM_CLEANUP 

Answer: C 

26. Which of the following actions in Business Role Management require a connection to a 
target 

system? (Choose three) 

A. Generation 

B. Authorization maintenance (actions and permissions) 

C. Risk analysis 

D. Approval 

E. Testing 

Answer: A,B,C 

27. For which of the following scenarios would you activate the end-user logon function? 
A. A user has no access to the Access Control system and needs to submit a request for access. 
B. A user has been promoted to manager and needs to log on to the Access Control system to 
approve a pending request. 

C. A user has successfully completed validation testing. 

D. A user has signed a non-disclosure agreement (NDA). 

Answer: A 

28. What does assigning the Logical Group (SOD-LOG) type to a connector group allow you to 
do? 

A. Run a cross-system analysis. 

B. Use the connector group for transports to the target system. 

C. Monitor the target system. 

D. Use the connector group as a business role management landscape. 

Answer: D 

29. Which of the following role provisioning types does Access Control user provisioning 
support? (Choose three) 

A. Direct 

B. Indirect 


C. Auto-provisioning at end of request 

D. No provisioning 

E. Combined 

Answer: A,B,E 

30. Which configuration parameters determine the content of the log generated by the SPM 
Log 

Synch job? (Choose three) 

A. Enable Risk Change log (1002) 

B. Enable Authorization Logging (1100) 

C. Retrieve System log (4004) 

D. Retrieve OS Command log (4006) 

E. Retrieve Audit log (4005) 

Answer: C,D,E 

31. You have identified some risks that need to be defined as cross-system risks. How do you 
configure your system to enable cross-system risk analysis? 

A. 1. Set the analysis scope of the function to cross-system. 

2.Create cross-system type connectors. 

3.Assign the corresponding connectors to the appropriate connector group. 
4.Generate rules. 

B. 1. Set the analysis scope of the risk to cross-system. 

2.Create cross-system type connectors. 

3.Assign the corresponding connectors to the appropriate connector group. 
4.Generate rules. 

C. 1. Set the analysis scope of the risk to cross-system. 

2.Create a cross-system type connector group. 

3.Assign the corresponding connectors to the connector group. 

4.Generate rules. 

D. 1. Set the analysis scope of the function to cross-system. 

2.Create a cross-system type connector group. 

3.Assign the corresponding connectors to the connector group. 

4.Generate rules. 

Answer: D 

32. Which process steps should you perform when you define a workflow-related MSMP rule? 
(Choose two) 

A. Save a bottom expression. 

B. Select a result data object. 

C. Select result parameters. 

D. Save condition parameters. 

Answer: B,D 


33. For which of the following scenarios would you activate the end-user logon function? 
A. A user has no access to the Access Control system and needs to submit a request for access. 


B. A user has been promoted to manager and needs to log on to the Access Control system to 
approve a pending request. 

C. A user has successfully completed validation testing. 

D. A user has signed a non-disclosure agreement (NDA). 


Correct Answer: A 


34. Which of the following actions in Business Role Management require a connection to a 
target system? (Choose three) 

A. Generation 

B. Authorization maintenance (actions and permissions) 

C. Risk analysis 

D. Approval 

E. Testing 


Correct Answer: A,B,C 


35. Which of the following role provisioning types does Access Control user provisioning 
support? (Choose three) 

A. Direct 

B. Indirect 

C. Auto-provisioning at end of request 

D. No provisioning 

E. Combined 


Correct Answer: A,B,E 


36. Which of the following are rule types used in MSMP workflow? (Choose three) 
A. Web Service rule 

B. ABAP Class-Based rule 

C. Function Module-Based rule 

D. BRFplus rule 

E. ABAP User Exit-Based rule 


Correct Answer: B,C,D 


37. What data is synchronized when you run the GRAC_REPOSITORY_OBJECT_SYNC report? 
(Choose three) 

A. Profiles 

B. Roles 

C. Role usage 


D. PFCG authorizations 
E. Users 


Answer: A,B,E 


38. Which of the following jobs do you have to schedule to collect Firefighter session 
information? 

A. GRAC_SPM_LOG_ARCHIVING 

B. GRAC_SPM_WORKFLOW_SYNC 

C. GRAC_SPM_LOG_SYNC_UPDATE 

D. GRAC_SPM_CLEANUP 


Correct Answer: C 


39. Which of the following actions in Business Role Management require a connection to a 
target system? (Choose three) 

A. Generation 

B. Authorization maintenance (actions and permissions) 

C. Risk analysis 

D. Approval 

E. Testing 

Answer: A,B,C 


40. For which of the following scenarios would you activate the end-user logon function? 

A. A user has no access to the Access Control system and needs to submit a request for access. 
B. A user has been promoted to manager and needs to log on to the Access Control system to 
approve a pending request. 

C. A user has successfully completed validation testing. 

D. A user has signed a non-disclosure agreement (NDA). 

Answer: A 


41. What does assigning the Logical Group (SOD-LOG) type to a connector group allow you to 
do? 

A. Run a cross-system analysis. 

B. Use the connector group for transports to the target system. 

C. Monitor the target system. 

D. Use the connector group as a business role management landscape. 

Answer: D 


42. Which of the following role provisioning types does Access Control user provisioning 
support? (Choose three) 
A. Direct 


B. Indirect 

C. Auto-provisioning at end of request 
D. No provisioning 

E. Combined 

Answer: A,B,E 


43. Which configuration parameters determine the content of the log generated by the SPM Log 
Synch job? (Choose three) 

A. Enable Risk Change log (1002) 

B. Enable Authorization Logging (1100) 

C. Retrieve System log (4004) 

D. Retrieve OS Command log (4006) 

E. Retrieve Audit log (4005) 

Answer: C,D,E 


44. You have identified some risks that need to be defined as cross-system risks. How do you 
configure your system to enable cross-system risk analysis? 

A. 1. Set the analysis scope of the function to cross-system. 

2.Create cross-system type connectors. 

3.Assign the corresponding connectors to the appropriate connector group. 
4.Generate rules. 

B. 1. Set the analysis scope of the risk to cross-system. 

2.Create cross-system type connectors. 

3.Assign the corresponding connectors to the appropriate connector group. 
4.Generate rules. 

C. 1. Set the analysis scope of the risk to cross-system. 

2.Create a cross-system type connector group. 

3.Assign the corresponding connectors to the connector group. 

4.Generate rules. 

D. 1. Set the analysis scope of the function to cross-system. 

2.Create a cross-system type connector group. 

3.Assign the corresponding connectors to the connector group. 

4.Generate rules. 

Answer: D 


45. Which process steps should you perform when you define a workflow-related MSMP rule? 
(Choose two) 

A. Save a bottom expression. 

B. Select a result data object. 

C. Select result parameters. 

D. Save condition parameters. 


Answer: B,D 


